Hackers claim zero-day flaw in Firefox

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

http://news.com.com/2100-1002_3-6121608.html?part=rss&tag=6121608&subj=news

:dunce:

Just a guess, but I bet it's not as high as you think?

you tell it not to. It's AWESOME - I haven't had ANY spyware, viruses, or malware since I installed it 6 months ago. It rocks!

https://addons.mozilla.org/firefox/722/

Easy to use, SUPER DUPER safe.

Bittorrent clients and IE seems to be the easiest way to get malware. I haven't read about folks getting firefox malware but I'm sure it's out there. This article is the first I've seen on javascript exploits on FF, but I havent really been paying attention.

These clowns in the article sound like real punks though.

I embedded the SpiderMonkey libraries into an application once -- it was a bit cantakerous.

They should consider swapping in Rhino, the Java-based JavaScript engine they wrote for the cancelled 'Javagator/Javazilla' browser. I've both embedded it in applications and used it server-side via Tomcat, and it seems clean as a whistle. Plus you'd have the added protection of a layer of 'Java sandbox' preventing malicious attacks, too.

Of course, it would cause a whole host of different problems, like probably using more memory, being borked on Windows until the user installs a JRE, etc...:shrug:

any advice to people who have firefox and dont know what your talking about? And talk to me like im a five year old...

Turn JavaScript off.

:)

"The implementation is a "complete mess," he said. "It is impossible to patch." "

Bullshit. Straight up, regarding it not being possible to patch it.

These guys are assholes seeking publicity.

"The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding on to the bugs."

In order to sell them off to illegal bot net networks in Russia?

Crash my machine? Empty my bank account? Delete my identity? Make me grow hair in odd places? What?

are ways of executing code on a remote computer (yours).

Generally the code "injected" via these exploits of lazy programmers, is a server of some kind, that makes a network connection back to an IRC chat room channel where a bunch of hackers get notification that your machine is ready for use by the criminals. They are generally just used as hopping off points for further crime, sending spam and driving up clickthrough revenue on sites they own or get the revenue from.

What sucks about this threat is these little co!@suckers won't give up the goods to the Mozilla Security team. (At 500 per bug) I'm guessing they know they can get more money from eastern european crime rings...

the worse viruses make you fall in love with Ann Coulter

was that they were more commenting on how pervasive the problem was. Surely a patch could replace the entire thing, but it does make them look like opportunist idiots. I say arrest them and torture them to make them improve my security!! Hell it works for the US govt. right? :sarcasm:

I have 1.5 gigabytes of memory in my machine. Firefox, if run for hours can take as much as 500 megabytes of memory or more. It takes up alot of memory. The makers of Firefox need to fix this.

You could try this.
http://tech.cybernetnews.com/2006/03/26/this-may-help-your-firefox-memory-leak/

And anil dash is a reasonable guy, he works at sixapart (livejournal, movabletype, vox) I sent him mail to get his take on a sixapart employee pullings this shit.

...with two clicks of the mouse, you can clear your cache. That's the beauty of Firefox (unlike Explorer) - there are all kinds of sweet extensions you can download to customize Firefox the way YOU want it. You just have to do a little bit of Google research.

You see a TV commercial told me that Mac's don't get viruses, so that article must be wrong. :sarcasm:

Say you are a hacker, you go after the largest slice of the market. You don't choose to hack the mac, not because of it's super duper inherent betterness, but rather you stay away from Macs, because there's only a 10-15% chance (probably less) that any computer at random on the internet is a Mac.

I know you probably knew this, but still it's worth pointing out.